Master the full Microsoft Cloud attack surface
This comprehensive, self-paced program delivers over 50 hours of hands-on training across three core pillars: Entra ID & Microsoft 365, Hybrid Environments, and Detection Engineering. Practitioners gain deep experience executing real-world attack chains across Entra ID, Microsoft 365, Intune, workload identities, and hybrid environments that bridge on-premises Active Directory with Azure resources. Participants then create and validate detections and response playbooks at each stage of the attack chain.
The curriculum combines offensive cloud techniques with detection engineering, illustrating real-world multi-stage exploitation scenarios that reflect modern adversary behavior in Microsoft Cloud and hybrid environments.
Upon completing the training program, practitioners are prepared to demonstrate their capability in the exam environment. This fully hands-on, scenario-based assessment requires leveraging Entra ID, Intune, Microsoft 365 applications, and Active Directory in a complete exploitation path that includes Azure resources enabling hybrid connectivity. Your program registration includes two MCRTE certification exam attempts.
The exam environment evolves gradually over time through periodic rotation of flags and scenario variants. These updates keep the assessment fresh and aligned with current attack chains, while ensuring the environment remains stable, predictable, and unchanged for each candidate’s exam attempt.
An optional prep pack is included to align tools and baseline concepts before you begin.
Program access and delivery model
This Expert Edition training program is delivered as a self-paced, on-demand experience with over 50 hours of structured content.
All training content will be available on-demand from June 2026. Work through the material at your own pace, with lifetime lab access to practice and refine your skills.
Procurement options include online purchase, invoicing, and bank transfer. Vendor onboarding documentation and attendee substitution are supported. Commercial terms are provided at time of booking.
Prerequisites and learning outcomes
This program is designed for security professionals, including offensive, defensive, and cloud practitioners who want to deepen their capability with advanced Microsoft Cloud attack and defense tradecraft. Earning the Pwned Labs Microsoft Cloud Red Team Professional (MCRTP) certification provides excellent preparation for this expert-level training, but it is not required.
Practitioners who complete the program leave with repeatable attack-chain workflows and the detections and response playbooks to defend each step. Passing the exam to earn the MCRTE certification demonstrates proficiency in the following areas:
- Understand advanced Entra ID, Microsoft 365, Intune, Microsoft Graph and hybrid attack surfaces
- Execute modern initial access methods including single-factor and MFA phishing, browser injection, and ESTS cookie abuse
- Perform token theft, exchange and upgrade attacks across Entra ID and Microsoft 365
- Leverage PRT, WHfB, FoCI, NAA, and device-based tokens for stealthy lateral movement
- Conduct hybrid attack chains spanning multiple Entra ID tenants and on-prem AD domains, leveraging Azure resources that enable hybrid connectivity
- Compromise workload identities and service principals, including app-role infiltration and app-layer takeover
- Deliver cloud implants through Intune, and hybrid connection mechanisms such as Azure ARC
- Identify and exploit misconfigurations in conditional access, PIM, MFA enforcement, and workload identity policies
- Gather identity and asset data with SharpHound and AzureHound and ingest it into BloodHound to map hybrid attack paths and escalation routes
- Apply tradecraft to real workload targets in hybrid environments, including resources that bridge on-premises and cloud infrastructure
- Demonstrate end-to-end OPSEC during offensive operations, including telemetry minimization, evasion techniques, and noise reduction
Defender-Focused Outcomes
- Assess and improve Microsoft Cloud security posture using Maester, Defender for Cloud, and identity hardening techniques
- Configure and tune Microsoft Defender XDR components, including Endpoint, Identity, Microsoft 365, Cloud Apps, and workload protections
- Design and enforce Conditional Access and identity protections to disrupt real Entra ID attack paths
- Harden Microsoft Entra applications and service principals
- Integrate Defender XDR and Microsoft Sentinel into a unified detection and response workflow, including investigation and containment playbooks
- Build, validate, and tune Microsoft Sentinel detections by replaying the real attack tradecraft used earlier in the program
- Navigate the Microsoft Graph API permission schema and consent model
- Apply detection engineering fundamentals, including tuning, validation, and introduction to detection-as-code concepts
- Deepen your understanding of Microsoft Cloud access tokens
Supplementary modules
In addition to the core training content, practitioners gain access to a set of advanced supplementary modules that further expand the training experience across the Microsoft Cloud attack surface and adversarial tradecraft.
If you are a penetration tester, red team operator, cloud security professional, or defender working in Microsoft 365 or hybrid environments, this expert training and its supplementary modules extend your capability beyond the core skills and into advanced red team tradecraft and detection engineering.
- AzureHound evasion techniques and advanced BloodHound analysis for hybrid environments
- Advanced Entra ID application and service principal attack chains
- Microsoft Intune attack and defense tradecraft
- Microsoft 365 lateral movement and data exfiltration techniques
- Hybrid identity attack chains spanning on-premises AD and Entra ID
- Advanced detection engineering with Microsoft Sentinel
End-to-end tradecraft and attack chains
The Pwned Labs Microsoft Cloud Attack & Defense Bootcamp – Expert Edition focuses on end-to-end tradecraft and complete attack chains used by modern red teams and threat actors across Entra ID, Microsoft 365, Intune, and hybrid environments that leverage Azure resources for connectivity.
Rather than isolated techniques, the program emphasizes full exploitation paths across identity, infrastructure, and cloud workloads, mirroring the complexity and sequencing encountered during real-world engagements.
- Identify, replicate, and detect advanced tradecraft used in recent Microsoft Cloud intrusions and campaigns
- Execute complete attack chains that span Entra ID, Microsoft 365, hybrid identity, and on-premises Active Directory
- Exploit Azure resources that enable hybrid connectivity, including Azure ARC and hybrid connection mechanisms
- Develop and validate detections and response playbooks aligned to each phase of the kill chain
Ian Austin is a security researcher and educator with a career spanning over 20 years in technical, security and leadership roles for global enterprises.
Ian was Head of Content at Hack The Box, a leading online platform for cybersecurity training and assessment. He also participated in the Green Team of Locked Shields, a NATO cyber defense exercise, contributing to the design and execution of realistic scenarios.
He is the founder of Pwned Labs, providing gamified and immersive cloud security labs for red and blue teams.
Mehmet Ergene is a five-time Microsoft Security MVP with over 15 years of experience in cybersecurity. His areas of focus include KQL, threat hunting, detection engineering, and data science. He is widely recognized for adapting the RITA beacon analyzer to KQL, giving defenders a powerful new way to detect beaconing activity using native Microsoft tooling.
Mehmet has also delivered standout presentations at major industry events, including the SANS DFIR Summit. He brings all of that hands-on expertise into his courses, making complex topics accessible and helping security professionals sharpen their skills in real-world detection and analysis.
Filip Jodoin has over half a decade of experience across both red and blue cybersecurity roles, with a strong focus on cloud adversary emulation and modern Microsoft Cloud attack techniques.
Prior to focusing on offensive security, Filip worked in Azure architecture roles at Ubisoft, where he addressed complex Microsoft Cloud security challenges at enterprise scale.
Filip is the MCRTP program designer and focuses on designing and executing realistic attack simulations across Azure, Entra ID, and Microsoft 365 to evaluate detection coverage and defensive readiness.
Edrian Miranda is an Offensive Security Engineer and Wiz MVP in Cloud Security, with hands-on experience across Azure, AWS, CI/CD pipelines, Kubernetes, containerized workloads, and Active Directory environments.
He focuses on offensive cloud and hybrid attack techniques, sharing research at conferences and community meetups, and developing custom tooling to support advanced cloud security research and adversary simulation.
Through his current and previous roles, Edrian has helped organizations design, secure, and mature cloud security and application security programs across complex environments.
.png)
Program structure
The Microsoft Cloud Attack & Defense Bootcamp - Expert Edition is delivered as a self-paced, on-demand program with over 50 hours of training.
The program is structured around three core pillars, giving you the flexibility to progress through the material at your own pace.
Private discussion and support channels are available in the Pwned Labs Discord. If Discord is restricted in your environment, contact us for an alternate comms option.
You’ll receive an email after purchase with all the information needed to get started.
Core pillars
- Pillar 1: Attacking Entra ID & Microsoft 365
- Pillar 2: Hybrid Attacks
- Pillar 3: Detection Engineering across the full kill chain
A capstone CTF is available to bring together the core components covered throughout the program.
